Bug 18938 - libgd new security issues CVE-2016-6132, CVE-2016-6207, CVE-2016-6214, and CVE-2016-6905
Summary: libgd new security issues CVE-2016-6132, CVE-2016-6207, CVE-2016-6214, and CV...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/694782/
Whiteboard: MGA5-32-OK MGA-64-OK advisory
Keywords: validated_update
Depends on:
Blocks: 18947 19009
  Show dependency treegraph
 
Reported: 2016-07-13 15:29 CEST by David Walser
Modified: 2016-09-01 17:20 CEST (History)
3 users (show)

See Also:
Source RPM: libgd-2.2.2-1.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-07-13 15:29:21 CEST
A CVE has been assigned for a bug fixed upstream in libgd:
http://openwall.com/lists/oss-security/2016/06/30/10

That was the first issue fixed upstream in issue #247.

A second bug reported in issue #247 has been fixed in the following commit:
https://github.com/libgd/libgd/commit/341aa68

and a CVE has been requested for it too:
http://openwall.com/lists/oss-security/2016/07/13/5

Finally, a CVE has been requested for upstream issue #248:
http://openwall.com/lists/oss-security/2016/07/12/4

There's a pull request with a fix, but it hasn't been approved/committed yet.

I have committed the CVE-2016-6132 fix in SVN (pushed in Cauldron), but am waiting for CVEs and a fix to be committed for the last issue.

The update for Mageia 5 will also fix a bug in the last update that caused some builds against libgd to fail.
Comment 1 David Walser 2016-07-14 01:06:23 CEST
(In reply to David Walser from comment #0)
> A second bug reported in issue #247 has been fixed in the following commit:
> https://github.com/libgd/libgd/commit/341aa68
> 
> and a CVE has been requested for it too:
> http://openwall.com/lists/oss-security/2016/07/13/5

CVE-2016-6214:
http://openwall.com/lists/oss-security/2016/07/13/12

Summary: libgd new security issue CVE-2016-6132 => libgd new security issues CVE-2016-6132 and CVE-2016-6214

Comment 2 Marja Van Waes 2016-07-14 14:09:11 CEST
Assigning to maintainer, but CC'ing all packagers collectively, since I haven't seen the maintainer coming back.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => oe

Comment 3 Marja Van Waes 2016-07-14 14:10:05 CEST
Sorry, Philippem, I forgot to CC you

CC: (none) => makowski.mageia

David Walser 2016-07-15 12:52:02 CEST

Blocks: (none) => 18947

Comment 4 David Walser 2016-07-15 12:58:55 CEST
(In reply to David Walser from comment #0)
> Finally, a CVE has been requested for upstream issue #248:
> http://openwall.com/lists/oss-security/2016/07/12/4

Fix:
https://github.com/libgd/libgd/commit/5ddd5a7eab0c107d3a5b5e9cc142bd163e8bac38

Hoping to get a CVE assignment soon.
Comment 5 David Walser 2016-07-19 16:25:46 CEST
Debian has issued an advisory for this on July 15:
https://www.debian.org/security/2016/dsa-3619

URL: (none) => http://lwn.net/Vulnerabilities/694782/

Comment 6 David Walser 2016-07-20 16:17:11 CEST
Tired of waiting for the CVE.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libgd packages fix security vulnerabilities:

A read out-of-bounds was found in the parsing of TGA files when the header
reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or
RLE value (upstream issue 248).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
http://openwall.com/lists/oss-security/2016/06/30/10
http://openwall.com/lists/oss-security/2016/07/13/12
http://openwall.com/lists/oss-security/2016/07/12/4
========================

Updated packages in core/updates_testing:
========================
libgd3-2.2.2-1.2.mga5
libgd-devel-2.2.2-1.2.mga5
libgd-static-devel-2.2.2-1.2.mga5
gd-utils-2.2.2-1.2.mga5

from libgd-2.2.2-1.2.mga5.src.rpm

CC: makowski.mageia, marja11, pkg-bugs => (none)
Assignee: oe => qa-bugs

Comment 7 Len Lawrence 2016-07-21 00:24:01 CEST
Tried to find a way to use the PoC targa file to reproduce the issue before updating but cannot figure out how; what utility to use.  Using ImageMagick returns something but that is not using gdlib functions is it?

$ display test.tga
display: unexpected end-of-file `test.tga': No such file or directory @ error/tga.c/ReadTGAImage/552.

The upstream notice reports against gd_tga.c.

$ urpmq --whatrequires lib64gd3 | sort | uniq
amule
apcupsd
fceux
fswebcam
gd-utils
glibc-utils
gnuplot
gnuplot-nox
graphviz
lib64gd3
lib64gd-devel
lib64harbour-gd3
libgphoto-common
libpst
links-hacked
m17n-lib
mldonkey
mscgen
nagios-www
navit
nginx
nut-cgi
pcb
perl-GD
php-gd
python-gd
ruby-gd
tcl-graphviz
tengine
texlive
vnstat

$ urpmq -i gd-utils
    http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/5/x86_64/media/core/updates/media_info/20160719-124617-info.xml.lzma
Name        : gd-utils                                                         
Version     : 2.1.1
Release     : 1.mga5
Group       : System/Libraries
Size        : 108534                       Architecture: x86_64
Source RPM  : libgd-2.1.1-1.mga5.src.rpm
URL         : http://www.libgd.org/
Summary     : The Utils files for gd

There does not seem to be a way to find what the Utils files are.

/usr/bin contains:
/usr/bin/gd2copypal
/usr/bin/gd2togif
/usr/bin/gd2topng
/usr/bin/gdlib-config  -> deprecated

The implication of some of the inline comments is that one needs to be a programmer and to use gd_tga.c to read the specimen targa file.  I'll need
to study the API.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2016-07-21 00:38:55 CEST
Tried to find a way to use the PoC targa file to reproduce the issue before updating but cannot figure out how; what utility to use.  Using ImageMagick returns something but that is not using gdlib functions is it?

$ display test.tga
display: unexpected end-of-file `test.tga': No such file or directory @ error/tga.c/ReadTGAImage/552.

The upstream notice reports against gd_tga.c.

$ urpmq --whatrequires lib64gd3 | sort | uniq
amule
apcupsd
fceux
fswebcam
gd-utils
glibc-utils
gnuplot
gnuplot-nox
graphviz
lib64gd3
lib64gd-devel
lib64harbour-gd3
libgphoto-common
libpst
links-hacked
m17n-lib
mldonkey
mscgen
nagios-www
navit
nginx
nut-cgi
pcb
perl-GD
php-gd
python-gd
ruby-gd
tcl-graphviz
tengine
texlive
vnstat

$ urpmq -i gd-utils
    http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/5/x86_64/media/core/updates/media_info/20160719-124617-info.xml.lzma
Name        : gd-utils                                                         
Version     : 2.1.1
Release     : 1.mga5
Group       : System/Libraries
Size        : 108534                       Architecture: x86_64
Source RPM  : libgd-2.1.1-1.mga5.src.rpm
URL         : http://www.libgd.org/
Summary     : The Utils files for gd

There does not seem to be a way to find what the Utils files are.

/usr/bin contains:
/usr/bin/gd2copypal
/usr/bin/gd2togif
/usr/bin/gd2topng
/usr/bin/gdlib-config  -> deprecated

The implication of some of the inline comments is that one needs to be a programmer and to use gd_tga.c to read the specimen targa file.  I'll need
to study the API.
Comment 9 Len Lawrence 2016-07-21 00:39:40 CEST
What happened there?
Comment 10 David Walser 2016-07-21 18:38:21 CEST
I just saw CVE-2016-6207, fixed in PHP 5.6.24 and to be fixed in libgd 2.2.3, was committed on July 19:
https://bugs.php.net/bug.php?id=72558

I guess we should wait for 2.2.3.

Whiteboard: (none) => feedback

Comment 11 Len Lawrence 2016-07-21 19:25:03 CEST
OK David.

So far....
Worked through the list of dependent applications in comment 8 to find something that works easily.  Picking gnuplot demos at random from /usr/share/doc/gnuplot-nox/demo/ demonstrated that gnuplot worked effectively before the updates.  navit looks like an in-car navigation system.  Opened a vnstat database for the eth0 connection (enp3s0) and restarted the service.  Seems to be OK but not enough data yet to view.

Updated the packages on x86_64.
Tested gnuplot, restarted the vnstat service, checked navit, amule opens a gui dialogue OK, so does pcb.

Shallow testing looks OK.
Comment 12 David Walser 2016-07-21 19:29:09 CEST
If you want to exercise the GD API directly (like to open the PoC files), the easiest eay I know if is to use PHP.  I've written a little bit of php-gd code myself.  It should be pretty well documented.
David Walser 2016-07-22 01:17:13 CEST

Blocks: (none) => 19009

Comment 13 Len Lawrence 2016-07-22 08:10:41 CEST
Thanks for the tip David.  Time to bite the bullet and delve into php.
Comment 14 David Walser 2016-07-22 14:27:41 CEST
Updated package uploaded for Mageia 5, freeze push pending for Cauldron.

Advisory:
========================

Updated libgd packages fix security vulnerabilities:

A read out-of-bounds was found in the parsing of TGA files when the header
reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or
RLE value (upstream issue 248).

Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
http://openwall.com/lists/oss-security/2016/06/30/10
http://openwall.com/lists/oss-security/2016/07/13/12
http://openwall.com/lists/oss-security/2016/07/12/4
https://bugs.php.net/bug.php?id=72558
========================

Updated packages in core/updates_testing:
========================
libgd3-2.2.3-1.mga5
libgd-devel-2.2.3-1.mga5
libgd-static-devel-2.2.3-1.mga5
gd-utils-2.2.3-1.mga5

from libgd-2.2.3-1.mga5.src.rpm

Summary: libgd new security issues CVE-2016-6132 and CVE-2016-6214 => libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214
Whiteboard: feedback => (none)

Comment 15 David Walser 2016-07-22 18:30:44 CEST
LWN reference for CVE-2016-6207:
http://lwn.net/Vulnerabilities/695169/
Comment 16 David Walser 2016-07-23 01:05:40 CEST
An issue in the test suite has been fixed by David Geiger.

Advisory:
========================

Updated libgd packages fix security vulnerabilities:

A read out-of-bounds was found in the parsing of TGA files when the header
reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or
RLE value (upstream issue 248).

Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207).

A regression in the previous update that caused some packages to fail to
build against libgd has also been fixed (mga#18947).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
http://openwall.com/lists/oss-security/2016/06/30/10
http://openwall.com/lists/oss-security/2016/07/13/12
http://openwall.com/lists/oss-security/2016/07/12/4
https://bugs.php.net/bug.php?id=72558
https://bugs.mageia.org/show_bug.cgi?id=18938
https://bugs.mageia.org/show_bug.cgi?id=18947
========================

Updated packages in core/updates_testing:
========================
libgd3-2.2.3-1.1.mga5
libgd-devel-2.2.3-1.1.mga5
libgd-static-devel-2.2.3-1.1.mga5
gd-utils-2.2.3-1.1.mga5

from libgd-2.2.3-1.1.mga5.src.rpm
Comment 17 Len Lawrence 2016-07-23 18:42:38 CEST
x86_64

Updated packages installed cleanly.  Two-way gd2 image conversion utilities present in /bin.  No gd2 images available.
$ pngtogd2 -i zoom.png -o zoom.gd2 2048 1
$ ls zoom.gd2
zoom.gd2
$ display zoom.gd2
display: no decode delegate for this image format `GD2' @ error/constitute.c/ReadImage/504.
$ file zoom.gd2
zoom.gd2: data
$ display zoom.gif
This shows the icon OK.
Currently there is no easy way to read the PoC targa file (CVEs 6132, 6214) at the command line.
Dependent applications run fine at the shallow testing level.
-------------------------------------------------------------------------------

Checked a few applications.  nginx started OK.  The pcb circuit board interface comes up and looks functional.  Opened the gui for amule a point2point network client.  fceux opened a gui - something to do with emulating the Nintendo Entertainment System - cannot go any further.

$ vnstat
Database updated: Sat Jul 23 15:46:55 2016

   enp3s0 since 21/07/16

          rx:  1.55 GiB      tx:  82.91 MiB      total:  1.63 GiB

   monthly
                     rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
       Jul '16      1.55 GiB |   82.91 MiB |    1.63 GiB |    6.99 kbit/s
     ------------------------+-------------+-------------+---------------
     estimated      2.12 GiB |     112 MiB |    2.23 GiB |

   daily
                     rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
     yesterday     74.90 MiB |   47.05 MiB |  121.95 MiB |   11.56 kbit/s
         today      1.47 GiB |   34.80 MiB |    1.50 GiB |  221.32 kbit/s
     ------------------------+-------------+-------------+---------------
     estimated      2.23 GiB |      51 MiB |    2.28 GiB |

$ cd /usr/share/doc/gnuplot-nox/demo
$ gnuplot <*>.dem
A successful tour of the demonstration scripts indicates that gnuplot is working fine.  vector.dem created an output file so needed sudo to run.  Best to run these from a user directory but some need data files from the demo directory.
Comment 18 David Walser 2016-07-24 00:31:23 CEST
Tested fine with my usual apache/php/libgd test case, Mageia 5 i586.

Note that libgd runs its test suite at build time, so don't worry too much about the PoCs.

Whiteboard: (none) => MGA5-32-OK

Comment 19 Len Lawrence 2016-07-24 19:57:28 CEST
[OT] Still trying to figure out how to run Hello World php script so not able to adopt your approach.

On topic: with both our tests this looks fine for the two architectures then.
Validating.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA-64-OK

Len Lawrence 2016-07-24 19:57:51 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 20 Thomas Backlund 2016-07-26 21:02:09 CEST
advisory added

CC: (none) => tmb
Whiteboard: MGA5-32-OK MGA-64-OK => MGA5-32-OK MGA-64-OK advisory

Comment 21 Mageia Robot 2016-07-26 21:12:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0258.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 22 David Walser 2016-08-23 15:55:22 CEST
Upstream issue 248 = CVE-2016-6905:
http://www.openwall.com/lists/oss-security/2016/08/23/1

Summary: libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214 => libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214, CVE-2016-6905

Comment 23 David Walser 2016-08-23 15:57:20 CEST
Advisory:
========================

Updated libgd packages fix security vulnerabilities:

A read out-of-bounds was found in the parsing of TGA files when the header
reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or
RLE value (CVE-2016-6905).

Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207).

A regression in the previous update that caused some packages to fail to
build against libgd has also been fixed (mga#18947).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6905
http://openwall.com/lists/oss-security/2016/06/30/10
http://openwall.com/lists/oss-security/2016/07/13/12
http://openwall.com/lists/oss-security/2016/07/12/4
http://openwall.com/lists/oss-security/2016/08/23/1
https://bugs.php.net/bug.php?id=72558
https://bugs.mageia.org/show_bug.cgi?id=18938
https://bugs.mageia.org/show_bug.cgi?id=18947

Summary: libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214, CVE-2016-6905 => libgd new security issues CVE-2016-6132, CVE-2016-6207, CVE-2016-6214, and CVE-2016-6905

Comment 24 David Walser 2016-09-01 17:20:31 CEST
(In reply to David Walser from comment #22)
> Upstream issue 248 = CVE-2016-6905:
> http://www.openwall.com/lists/oss-security/2016/08/23/1

LWN reference:
http://lwn.net/Vulnerabilities/698984/

Note You need to log in before you can comment on or make changes to this bug.